Systems and methods for identifying unauthorized users of an electronic device

ABSTRACT

This is generally directed to identifying unauthorized users of an electronic device. In some embodiments, an unauthorized user of the electronic device can be detected by identifying particular activities that may indicate suspicious behavior. In some embodiments, an unauthorized user can be detected by comparing the identity of the current user to the identity of the owner of the electronic device. When an unauthorized user is detected, various safety measures can be taken. For example, information related to the identity of the unauthorized user, the unauthorized user&#39;s operation of the electronic device, or the current location of the electronic device can be gathered. As another example, functions of the electronic device can be restricted. In some embodiments, the owner of the electronic device can be notified of the unauthorized user by sending an alert notification through any suitable medium, such as, for example, a voice mail, e-mail, or text message.

CROSS REFERENCE TO RELATED APPLICATIONS

This is a continuation of U.S. application Ser. No. 13/615,304 filedSep. 13, 2012, which is a continuation of U.S. application Ser. No.12/389,106 filed Feb. 19, 2009, each of which is incorporated herein byreference in its entirety and for all purposes.

FIELD OF THE INVENTION

This relates to systems and methods for identifying unauthorized usersof an electronic device. In particular, this relates to systems andmethods for detecting an unauthorized user, gathering informationrelated to the electronic device, the unauthorized user, or both, andtransmitting an alert notification to a responsible party for theelectronic device.

BACKGROUND OF THE INVENTION

People often possess and carry around a variety of electronic devices,such as, for example, cellular phones, PDA's, personal e-mail ormessaging devices (e.g., a Blackberry™), and handheld media players(e.g., an iPod™). Many of these electronic devices are used frequentlyby their owners, and the electronic devices may contain personal orsensitive information stored within them. For example, the electronicdevices may contain information such as credit card numbers, passwords,social security numbers, bank information, contact lists, or calendarinformation. Accordingly, if the electronic device is lost or stolen,the loss of the electronic device can be exceedingly disruptive to theowner's peace of mind and security. Thus, the owner may desire to findout where the lost electronic device is located or who may have gainedpossession of or stolen the electronic device.

SUMMARY OF THE INVENTION

Systems and methods for identifying unauthorized users of an electronicdevice are provided. In particular, systems and methods for detecting anunauthorized user, gathering information related to the electronicdevice, the unauthorized user, or both, and transmitting an alertnotification to a responsible party for the electronic device areprovided.

In some embodiments, an unauthorized user can be detected by comparingthe identity of the current user to the identities of authorized usersof the electronic device. For example, a photograph of the current usercan be taken, a recording of the current user's voice can be recorded,the heartbeat of the current user can be recorded, or any combination ofthe above. The photograph, recording, or heartbeat can be compared,respectively, to a photograph, recording, or heartbeat of authorizedusers of the electronic device to determine whether they match. If theydo not match, the current user can be detected as an unauthorized user.

In some embodiments, an unauthorized user can be detected by notingparticular activities that can indicate suspicious behavior. Forexample, activities such as entering an incorrect password apredetermined number of times in a row, hacking of the electronicdevice, jailbreaking of the electronic device, unlocking of theelectronic device, removing a SIM card from the electronic device, ormoving a predetermined distance away from a synced device can be used todetect an unauthorized user.

In some embodiments, when an unauthorized user is detected, informationrelated to the current user of the electronic device (e.g., theunauthorized user), the current user's operation of the electronicdevice, the electronic device's location, or any combination of theabove can be gathered. For example, information such as the current'suser's photograph, a voice recording of the current user, screenshots ofthe electronic device, keylogs of electronic device, communicationpackets (e.g., Internet packets) served to the electronic device,location coordinates of the electronic device, or geotagged photos ofthe surrounding area can be gathered.

Instead or in addition, when an unauthorized user is detected, variousfunctions of the electronic device can be restricted. For example,access to particular applications can be restricted, access to sensitiveinformation can be restricted, sensitive information can be erased fromthe electronic device, or any combination of the above.

In some embodiments, an alert notification can be sent to a responsibleparty when an unauthorized user is detected. The “responsible party” canbe any persons suitable to receive the alert notification, such as, forexample, the owner of the electronic device, proper authorities orpolice, persons listed in a contact book in the electronic device, orany combination of the above. In some embodiments, the alertnotification can be a general warning that an unauthorized user has beendetected (e.g., “Warning, your electronic device may have been stolen”).In some embodiments, the alert notification can contain any of theinformation gathered in response to an unauthorized user being detected(e.g., photographs, voice recordings, screenshots, geotaggedphotographs, or any other gathered information).

The alert notification can be transmitted to the responsible partythrough any suitable medium. For example, the alert notification can besent as a voicemail, phone call, text message, e-mail, or facsimile. Asanother example, the alert notification can be sent through any suitableVoIP application (e.g., Skype™ or Windows™ Live Messenger), instantmessaging application (e.g., AOL Instant Messenger™ or MSN Messenger™),on-line profile application (e.g., Facebook™ or Friendster™), blogapplication (e.g., Twitter or Xanga™), or “cloud” server (e.g., sent toa Mobile Me account associated with the owner of the electronic device).

BRIEF DESCRIPTION OF THE FIGURES

The above and other objects and advantages of the invention will beapparent upon consideration of the following detailed description, takenin conjunction with the accompanying drawings, in which like referencecharacters refer to like parts throughout, and in which:

FIG. 1 shows an illustrative electronic device in accordance with someembodiments of the present invention;

FIG. 2 shows a schematic view of an illustrative electronic device inaccordance with some embodiments of the present invention;

FIG. 3 shows a schematic view of an illustrative communications systemin accordance with some embodiments of the invention;

FIG. 4 shows an illustrative log of users of an electronic device inaccordance with some embodiments of the present invention; and

FIGS. 5-6 b show illustrative processes for identifying unauthorizedusers of an electronic device in accordance with some embodiments of thepresent invention.

DETAILED DESCRIPTION OF THE INVENTION

FIG. 1 shows illustrative electronic device 100 that is in accordancewith some embodiments of the present invention. In some embodiments,electronic device 100 can include, for example, a cellular phone whichcan communicate over a cellular network. In some embodiments, electronicdevice 100 can include a cellular phone that can communicate through anon-cellular network system, such as Voice Over Internet Protocol(VoIP). Furthermore, although generally depicted as a portable, handhelddevice and as having a particular shape and design in FIG. 1, oneskilled in the art could appreciate that electronic device 100 caninclude any suitable size, shape, or design. For example, in someembodiments, electronic device 100 can be a non-handheld device such asa desktop computer, a handheld device such as personal data assistant(“PDA”), a personal e-mail or messaging device (e.g., a Blackberry® or aSidekick®), a handheld media player such as an iPod™ (available fromApple Inc. of Cupertino, Calif.), a laptop computer, or any othersuitable device. When a cellular phone is discussed below, one skilledin the art could appreciate that any of the above-mentioned electronicdevices could alternatively be utilized.

Electronic device 100 can include main device 102 and one or more ofaccessory device 104. Generally, any of the components of electronicdevice 100 described below can be integrated into main device 102,contained in accessory device 104, or both. Additionally, althoughaccessory device 104 is depicted as being physically coupled to maindevice 102 in FIG. 1, accessory device 104 may alternatively bewirelessly coupled to main device 102.

There can be multiple ways of connecting accessory device 104 to maindevice 102 through, for example, connector 118. Persons skilled in theart will appreciate that connector 118 can be any suitable connectorsuch as one or more USB ports, 30-pin connector ports, docks, expansionports, and headset jacks.

Electronic device 100 can include display screen 106. Further to thediscussion above, display screen 106 does not need to be integrated intomain device 102, and in other embodiments can be an accessory devicethat is physically or wirelessly coupled to main device 102. Forexample, display screen 106 can include a computer monitor, a televisionscreen, a projection screen, a liquid crystal display (“LCD”), lightemitting diode (“LED”) display, organic light-emitting diode (“OLED”)display, surface-conduction electron-emitter display (“SED”), carbonnanotubes, nanocrystal displays, or any other suitable screen. Displayscreen 106 can present various types of information to the user such asgraphical and textual displays. In some embodiments, display screen 106can function as a user input mechanism that allows for a touch screen oruser input via a stylus.

Electronic device 100 can also include one or more of user inputmechanisms 108 and 110. These mechanisms can include, for example, oneor more buttons, switches, track wheels, click wheels, or keyboards.Electronic device 100 can include one or more of port 112 for couplingexternal data or hard drives into electronic device 100. For example,port 112 can enable electronic device 100 to receive SIM cards, flashdrives, or external hard drives.

Electronic device 100 can include any suitable user input/output devicessuch as microphone 114 and one or more of speaker 116. Although depictedas being integrated into accessory device 104, one skilled in the artcould appreciate that microphone 114 and speakers 116 may alternativelyor additionally be contained in main device 102.

Electronic device 100 can include one or more of camera 120. Similar tothe above-mentioned components, camera 120 can be integrated into maindevice 102 or can additionally or alternatively be integrated intoaccessory device 104. Camera 120 can be used as an input device tocapture visual images (e.g., photos). Visual images that are captured bycamera 120 can be, for example, stored in memory within electronicdevice 100, transmitted over a communications network to anotherelectronic device, edited, or processed in any other suitable way.Camera 120 can be oriented in any suitable manner, including for examplefacing towards or away from the user when the user looks at screen 106.

FIG. 2 shows a schematic view of an illustrative electronic device inaccordance with some embodiments of the invention. For example,electronic device 200 can correspond to electronic device 100 of FIG. 1.Electronic device 200 can include control circuitry 202, storage 204,memory 206, input/output circuitry 208, communications circuitry 210,and positioning circuitry 212. In some embodiments, one or more ofelectronic device components 200 can be combined or omitted (e.g.,storage 204 and memory 206 can be combined). In some embodiments,electronic device 200 can include other components not combined orincluded in those shown in FIG. 2 (e.g., motion detection components, apower supply, or a bus), or several instances of the components shown inFIG. 2. For the sake of simplicity, only one of each of the componentsis shown in FIG. 2.

Control circuitry 202 can include any processing circuitry or processoroperative to control the operations and performance of electronic device200. For example, control circuitry 200 can be used to run operatingsystem applications, firmware applications, media playback applications,or any other application. In some embodiments, the control circuitry candrive a display and process inputs received from a user interface.

Storage 204 and memory 206 can include, for example, one or more storagemediums including a hard-drive, solid state drive, flash memory,permanent memory such as ROM, cache memory, semi-permanent memory suchas RAM, or any other suitable type of storage component, or anycombination thereof. One or both of storage 204 and memory 206 canstore, for example, media data (e.g., music, picture, and video files),application data (e.g., for implementing functions on electronic device200), firmware, user preference information data (e.g., contact lists),authentication information (e.g. libraries of data associated withauthorized users), wireless connection information data (e.g.,information that can enable electronic device 200 to establish awireless connection), and any other suitable data or any combinationthereof. In some embodiments, memory 206 and storage 204 can be combinedas a single storage medium.

Input/output circuitry 208 can be operative to convert (andencode/decode, if necessary) analog signals and other signals intodigital data, and vice-versa. For example, input/output circuitry 208can be operative to convert signals received from any suitable inputdevice such as, for example, an accelerometer, magnetometer,photodetector, or input mechanisms 108 and 110 of FIG. 1, into digitaldata. As another example, input/output circuitry 208 can convert signalsreceived from input devices such as microphone 114 and camera 120 ofFIG. 1.

Communications circuitry 210 can include any suitable communicationscircuitry operative to connect to a communications network and transmitor receive communications (e.g., data) with electronic device 200.Communications circuitry 210 can be operative to interface with acommunications network using any suitable communications protocol suchas, for example, Wi-Fi (e.g., a 802.11 protocol), Bluetooth®, near fieldcommunications (“NFC”), radio frequency systems (e.g., 900 MHz, 2.4 GHz,and 5.6 GHz communication systems), infrared, GSM, GSM plus EDGE, CDMA,quadband, other cellular protocols, VOIP, or any other suitableprotocol. In some embodiments, communications circuitry 210 can enableelectronic device 200 to be coupled to a host device or to anotherelectronic device. Electronic device 200 can be coupled to performfunctions such as, for example, data transfers, synching the electronicdevice, software updates, or any other suitable operation.

Positioning circuitry 212 can include any suitable circuitry fordetermining the current location of electronic device 200. In someembodiments, positioning circuitry 212 can include a global positioningsystem (“GPS”) that returns the geographic location (e.g., the longitudeand latitude coordinates) of electronic device 200. In some embodiments,the current location can be derived from any suitable trilateration ortriangulation technique. For example, the device can determine itslocation using various measurements (e.g., signal-to-noise ratio (“SNR”)or signal strength) of a network signal (e.g., a cellular telephonenetwork signal) associated with the device. Other forms ofwireless-assisted GPS (sometimes referred to herein as enhanced GPS orA-GPS) can also be used to determine the current position of electronicdevice 200. In some embodiments, a device can determine its locationbased on a wireless network or access point that is in range or awireless network or access point to which the device is currentlyconnected.

In some embodiments, electronic device 200 can include a bus operativeto provide a data transfer path for transferring data to, from, orbetween control circuitry 202, storage 204, memory 206, input/outputcircuitry 208, communications circuitry 210, and any other componentincluded in electronic device 200.

FIG. 3 is a schematic view of communications system 300 in accordancewith some embodiments of the present invention. Communications system300 can include electronic device 302 coupled to communications network304. For example, electronic device 302 can correspond to electronicdevice 100 of FIG. 1. Electronic device 302 can use communicationsnetwork 304 to perform wireless or wired communications with otherdevices within communications network 304, such as friendly device 306.Friendly device 306 can include any suitable device in communicationwith electronic device 302 such as, for example, a cellular phone, acomputer, a remote server, a PDA, a personal e-mail or messaging device(e.g., a Blackberry® or a Sidekick®), a handheld media player such as aniPod™ (available from Apple Inc. of Cupertino, Calif.), or any othersuitable device. Although communications system 300 can include severalinstances of electronic device 302 and friendly device 306, only one ofeach is shown in FIG. 3 for simplicity and clarity.

Any suitable circuitry, device, system, or combination of thesecomponents operative to create a communications network can be used tocreate communications network 304. In some embodiments, communicationsnetwork 304 can support, for example, WiFi (e.g., a 802.11 protocol),Bluetooth®, NFC, Internet servers, VoIP, radio frequency systems (e.g.,900 MHz, 2.4 GHz, and 5.6 GHz communication systems), infrared, GSM, GSMplus EDGE, CDMA, quadband, other cellular protocols, or any othersuitable protocol.

Communications system 300 can include host device 308. Electronic device302 can be coupled with host device 308 over communications link 310using any suitable approach. For example, communications link 310 caninclude any suitable wireless communications protocol, wired link, orcombination of the above. Electronic device 302 can be coupled to hostdevice 308 to perform functions such as, for example, data transfers,synching electronic device 302 with host device 308, software updates,or any other suitable operation. Although only one instance of hostdevice 308 is shown in FIG. 3, communications system 300 canalternatively include one or more instances of host device 308.

As mentioned above, this is generally directed to identifyingunauthorized users of an electronic device. For example, in someembodiments, an unauthorized user of the electronic device can bedetected (e.g., it can be detected that someone other than the owner ofthe electronic device has gained possession of or is using theelectronic device). When the unauthorized user has been detected,various safety measures can be taken. For example, information relatedto the unauthorized user's identity or operation of the electronicdevice or information related to the current location of the electronicdevice can be gathered. In some embodiments, the owner can be notifiedthat an unauthorized user has been detected by sending an alertnotification through, for example, an e-mail, text message, facsimile,or any other suitable medium.

As used herein, the term “owner” refers to any authorized user of anelectronic device. The term “owner” can apply to a person who owns orwho has paid for the electronic device, to any persons who havepermission or authorization to use that electronic device, or to both(e.g., an employer providing an electronic device to an employee). Forexample, an entire family may decide to share a single cellular phone.Although only one person in the family has paid for the phone, everyonein the family is an authorized user of the phone. Also, as used herein,the term “unauthorized user” or “thief” can apply to a person who has,for example, stolen an electronic device, found an electronic devicethat has been lost, or in any other manner picks up or attempts to usean electronic device which they are not authorized to use.

In some embodiments, to detect an unauthorized user of the electronicdevice, the identity of the current user can be determined. If theidentity of the current user does not match the identity of the owner ofthe electronic device, the current user can be detected as anunauthorized user. For example, a face recognition system can be used todetermine the current user's identity. The face recognition system cantake a picture of the current user with a camera, such as camera 120 ofFIG. 1. The picture can then be analyzed to determine whether or not thepicture of the current user matches an authorized user. For example, thepicture can be compared to images stored in a database of authorizedusers. If the picture of the current user does not match an authorizeduser, he can be detected as an unauthorized user. Various ways in whichan electronic device can respond to detecting an unauthorized user willbe discussed in more detail in the description and figures to follow.

As another example, a voice recognition system can be used to determinethe current' user identity. In some embodiments, the current's uservoice can be recorded through a microphone, such as microphone 114 ofFIG. 1. The recording can then be analyzed to determine whether or notthe recorded voice matches the voice of an authorized user (e.g.,matches a “voice print” of an authorized user). Similar to the facerecognition system, the recording can be compared to recordings ofauthorized users that are stored in a database. If the voice of thecurrent user does not match the voice of an authorized user, the currentuser can be detected as an unauthorized user.

As another example, a heartbeat sensor can be used to determine thecurrent user's identity. Generally, each person can have a uniqueheartbeat. For example, by analyzing the ratio between the high and lowpeaks measured in an electrocardiogram (“ECG”) of a user's heart, aunique heartbeat “signature” that is distinctive to each user can beidentified. Thus, by analyzing the heartbeat of the current user andcomparing it to the owner's heartbeat, the electronic device candetermine whether or not the current user matches an authorized user.

In some embodiments, to detect an unauthorized user of the electronicdevice, particular activities can be identified. As one example, theelectronic device can monitor how many times in a row a current userenters an incorrect password, or how many times a current user enters anincorrect password within a certain amount of time. If the current userexceeds a predetermined threshold (e.g., if the current user enters anincorrect password more than three times in a row, or enters anincorrect password more than 3 times within one minute), it can bedetermined that he is an unauthorized user. Generally, an activity suchas repeatedly entering incorrect passwords can indicate that the currentuser is not the owner and, rather, may be a person who is trying to hackinto the electronic device.

As another example, an activity that can detect an unauthorized user canbe any action that may indicate the electronic device is being tamperedwith by being, for example, hacked, jailbroken, or unlocked. Forexample, a sudden increase in memory usage of the electronic device canindicate that a hacking program is being run and that an unauthorizeduser may be using the electronic device. “Jailbreaking” of an electronicdevice can generally refer to tampering with the device to allow a userto gain access to digital resources that are normally hidden andprotected from users. “Unlocking” of a cellular phone can generallyrefer to removing a restriction that “locks” a cellular phone so it mayonly be used in specific countries or with specific network providers.Thus, in some embodiments, an unauthorized user can be detected if it isdetermined that the electronic device is being jailbroken or unlocked.As yet another example of activities that can indicate tampering withthe electronic device, an unauthorized user can be detected when aSubscriber Identity Module (“SIM”) card is removed from or replaced inthe electronic device.

In some embodiments, an unauthorized user can be detected when theelectronic device moves a predetermined distance away from a device withwhich it has been synced through, for example, Bluetooth® pairing orNear Field Communications (“NFC”). For example, the electronic devicemay be synced with a wireless headset, a laptop, a security token devicesuch as a key fob, a keychain, or any combination of the above. In someembodiments, if the electronic device moves a relatively short distanceaway from the synced device (e.g., 20 feet), the owner can be warned ofthe electronic device's movement. If the electronic device continues tomove farther away from the synced device (e.g., 50 feet), a formal alertsignaling that an unauthorized user has been detected can be generated.In this manner, since a warning is provided first, if the owner isresponsible for moving the electronic device away from the synced device(e.g., as opposed to a thief who is stealing the electronic device), theowner may not be startled when the formal alert is generated but maydisregard the formal alert.

As mentioned above, an unauthorized user can be detected by, forexample, the output of an appropriate sensor or by identifyingparticular activities (e.g., by receiving a predetermined number ofincorrect passwords, noting hacking, jailbreaking, unlocking, or removalof a SIM card, or moving a certain distance away from a synced device).Generally, when an unauthorized user is detected, various types ofinformation can be gathered and a responsible party (e.g., the owner,the police, or the proper authorities) can be notified. Various ways ofgathering information and notifying a responsible party will bedescribed in more detail in the descriptions and figures to follow.

In some embodiments, when an unauthorized user is detected (e.g., by anyof the above-mentioned ways), information related to the current user'sidentity or the current user's operation of the electronic device can begathered. For example, a photograph of the current user can be takenwith a camera, such as, for example, camera 120 of FIG. 1. In someembodiments, the photograph can be taken without a flash, any noise, orany indication that a picture is being taken to prevent the current userfrom knowing he is being photographed. As another example, a recordingcan be taken to capture the current user's voice through, for example,microphone 114 of FIG. 1. In some embodiments, the recording can betaken when the current user makes a phone call with the electronicdevice. In some embodiments, the electronic device can record any voicesor sounds that are detected, regardless of whether or not a phone callis being made.

In some embodiments, when an unauthorized user is detected, informationrelated to the current user's operation of the electronic device can begathered (e.g., information related to the usage of the electrionicdevice, as opposed to the mere entering of authentication information orturning-on of the electronic device. For example, keylogging softwarecan be activated to record any keystrokes made by the current user. Asanother example, screenshots of the electronic device can be taken. Asanother example, the current user's Internet activity can be monitoredor any communication packets that are served to the electronic devicecan be recorded. As another example, if the current user attempts tosynchronize or couple the electronic device to a computer (or other hostdevice), that computer's information can be gathered and recorded (e.g.,the computer's IP address, Internet provider, and broadband service).

In some embodiments, when an unauthorized user is detected, theelectronic device's location can be determined. For example, positioningcircuitry, such as positioning circuitry 212 of FIG. 2, can use a GPS, atrilateration technique, a triangulation technique, a wireless-assistedGPS, or any combination of the above to determine the locationcoordinates of the electronic device. As another example, audiorecordings of the surrounding area can be recorded and analyzed todetermine the current location. In some embodiments, a photograph of thesurrounding location can be taken and then “geotagged” by associatingthe photograph with the determined location coordinates. Photographs canbe taken at regular intervals (e.g., every five minutes) to determinewhether or not the electronic device is in the process of moving. Insome embodiments, the current location can be determined by analyzingthe photographs. For example, the photograph can be analyzed to detectdistinguishing landmarks such as mountain ranges, constellations, streetsigns, stores, or any other suitable landmark. This technique can bebeneficial in the event that, for example, alternate systems fordetermining the electronic device's location (e.g., a GPS system) arenot available or cease functioning correctly.

In some embodiments, when an unauthorized user is detected, anaccelerometer can be utilized to determine the mode of transportation ofthe electronic device. For example, the mode of transportation can bedetermined by utilizing a signal processing system to identify the“vibration profile” of any movement experienced by the electronicdevice. The vibration profile can be analyzed to determine whether itmatches the vibration profile for movement types such as, for example,walking, running, riding on a train, riding in a car, flying in a plane,or riding on a bike.

In some embodiments, when an unauthorized user is detected, variousfunctions of the electronic device can be restricted or prohibited. Asone example, access to certain applications (e.g., contact books,Internet browsers, calendars, e-mail, or any other suitable application)can be restricted. As another example, access to sensitive informationsuch as credit card information, social security numbers, bankinginformation, home addresses, or any other delicate information can beprohibited. In some embodiments, the sensitive information can be erasedfrom the electronic device. For example, the sensitive information canbe erased directly after an unauthorized user is detected. However, asthis may unfavorably erase information in response to a false detection(e.g., the electronic device malfunctions by incorrectly identifying theowner as an unauthorized user) and can be a nuisance to the owner, insome embodiments the information can be erased after a predeterminedperiod of time (e.g., 48 hours) has passed. For example, if anunauthorized user has been detected, and the owner has not reclaimedpossession of the electronic device within the predetermined period oftime, the sensitive information can then be erased. In some embodiments,the sensitive information can be erased from the electronic device afterbeing backed-up on a remote server. In this scenario, until a user isproperly identified as an authorized user of the electronic device,access to the sensitive information on the remote server can be denied.

In some embodiments, information related to the current user's identityand the current user's operation of the electronic device can begathered every time the electronic device is turned on, unlocked, orused. For example, information such as photographs of the current user,keylogs of his activities, or screenshots of the electronic device canbe gathered. This can favorably allow a log of who is using theelectronic device to be generated. In some embodiments, generating a logof users of an electronic device can aid an owner in determining ifsomeone is “snooping” through or using their electronic device withoutpermission. For example, FIG. 4 shows an illustrative log 400 of usersof an electronic device such as, for example, a cellular phone.

Log 400 can include User Column 402 that can display the pictures takenof people who have used the cellular phone. For example, a camera, suchas camera 120 of FIG. 1, can be configured to take a picture of thecurrent user every time the electronic device is turned on, unlocked, orused. In some embodiments, log 400 can include Date Column 404 that canidentify the time, date, or both of when a person uses the cellularphone, Phone Calls Column 406 that can identify any phone calls made,and Applications Column 408 that can identify any applications used onthe cellular phone. For example, log 400 shows that the personidentified by picture 410 used the cellular phone on January 2nd andchecked text messages, voicemails, and phone call history. As anotherexample, the user identified by picture 412 used the cellular phone onJanuary 3rd and called Henry Smith and Suzie Lee. In some embodiments,log 400 can include screenshots from the electronic device that aretaken while the person is using the cellular phone. Generating a log andtaking photographs of a user every time an electronic device is used canbeneficially reduce the need for complex algorithms. For example, sincea person is photographed each time the electronic device is used, theremay be no need for face recognition or voice recognition algorithms todetermine whether or not the current user is an authorized user beforephotographing him.

When an unauthorized user is detected, various types of information canbe gathered (e.g., information related to the identity of the currentuser, information related to the current user's operation of theelectronic device, information related to the electronic device'slocation, or any combination of the above) and a responsible party canbe notified with an “alert notification”. In some embodiments, the alertnotification can be a general message conveying that the electronicdevice is not in the possession of an authorized user. For example, amessage such as, “Warning, your cellular phone may have been stolen” or“Your electronic device may be in the possession of an unauthorizeduser” can be sent to the responsible party. In some embodiments, thealert notification can include any of the information gathered when anunauthorized user is detected (e.g., photographs of the “thief,” voicerecordings, screenshots of the electronic device, keylogs, a listing ofcommunication packets (e.g., Internet packets) served to the device, theelectronic device's location, geotagged photographs, photographs of thesurrounding area, or mode of transportation of the electronic device).

The “responsible party” can be any person or persons who are suitable toreceive the alert notification. For example, the responsible party canbe the owner of the electronic device. As another example, theresponsible party can be the proper authorities or the police. As yetanother example, the responsible party can be any person listed in acontact book stored in the electronic device. As yet another example,the responsible party can be a cellular phone carrier for the electronicdevice. In this case, when the phone carrier receives the alertnotification, the phone carrier can, for example, shutdown any telephoneservice to the electronic device, shutdown the electronic device itself,or otherwise suitably restrict the functions of the electronic device.In some embodiments, the members of the responsible party can be chosenthrough user- controlled options, thus allowing the owner to select whocan be notified when an unauthorized user is detected.

The alert notification can be sent to the responsible party through anysuitable medium. For example, the alert notification can be sent via aphone call, voicemail, text message, facsimile message, or anycombination of the above. As another example, the alert notification canbe sent via a VoIP application (e.g., Skype™ or Windows™ LiveMessenger), via an instant messaging application (e.g., AOL InstantMessenger™ or MSN Messenger™), as a message through an on-line profile(e.g., Facebook™ or Friendster™), as a message through an on-line blog(e.g., Twitter or Xanga™), or to a “cloud” server (e.g., to a Mobile Meaccount associated with the owner of the electronic device). In someembodiments, the owner can define which mediums are used throughuser-controlled options. For example, the owner can choose one or moreof the above-mentioned mediums and can assign which phone numbers,e-mail addresses, screen names, or other appropriate addresses are used.

FIG. 5 shows illustrative process 500 for identifying unauthorized usersof an electronic device. At step 502, the process determines whether anunauthorized user has been detected. Various processes that can detectan unauthorized user will be discussed in more detail in thedescriptions to follow and in reference to FIGS. 6 a and 6 b. If anunauthorized user has not been detected, process 500 can end at step504.

When an unauthorized user has been detected, any suitable informationrelated to the electronic device, the current user of the electronicdevice (e.g., the unauthorized user), or both can be gathered at step506. For example, as described above, information related to the currentuser's identity (e.g., the current user's photograph or voicerecordings), operation of the electronic device (e.g., keylogs of anykeystrokes, screenshots of the electronic device, any communicationpackets (e.g., Internet packets) served to the electronic device, orinformation related to a computer that has been coupled to theelectronic device), location (e.g., location coordinates, geotaggedphotographs, photographs of the surrounding area), the mode oftransportation of the electronic device, or any combination of the abovecan be gathered.

At step 508, functions of the electronic device can be restricted. Forexample, as described above, access to one or more applications orsensitive information can be restricted or prohibited, sensitiveinformation can be erased or backed up on a remote server, or anycombination of the above.

In some embodiments, step 506 can occur after step 508. In otherembodiments, rather than both step 506 and step 508 occurring, only oneof these steps may occur. In particular, the processes discussed hereinare intended to be illustrative and not limiting, and one skilled in theart could appreciate that steps of the processes discussed herein can beomitted, modified, combined, rearranged, and any additional steps can beperformed without departing from the scope of the invention.

At step 510, an alert notification is transmitted to the responsibleparty. As described above, the alert notification can be a generalmessage (e.g., “Warning, your cellular phone may have been stolen”), cancontain any of the information gathered at step 506, or any combinationof the above. Also as described above, the alert notification can betransmitted through any suitable medium such as, for example, a voicemail, a phone call, a text message, a facsimile, through a VoIPapplication (e.g., Skype™ or Windows™ Live Messenger), through aninstant messaging application (e.g., AOL Instant Messenger™ or MSNMessenger™), a message through an on-line profile (e.g., Facebook™ orFriendster™), a message through an on-line blog (e.g., Twitter orXanga™), or through a “cloud” server (e.g., to a Mobile Me accountassociated with the owner of the electronic device).

FIG. 6 a and FIG. 6 b show illustrative processes 600 and 610,respectively, that can each be used to detect an unauthorized user. Forexample, as described above, processes 600 and 610 can be implemented atstep 502 of FIG. 5 to detect an unauthorized user.

Process 600 of FIG. 6 a can determine the identity of a current user atstep 602. For example, as described above, the current user can have hisphotograph taken, the current user's voice can be recorded, or an ECG ofthe current user's heartbeat can be recorded.

At step 604, process 600 can determine whether the current user matchesan authorized user of the electronic device. For example, if aphotograph of the current user was taken at step 602, this photographcan be compared to images stored in a database of authorized users.Similarly, if a voice recording of the current user was taken at step602, this recording can be compared to voice recordings (e.g., voiceprints) of authorized users stored in a database. As another example, ifan ECG was taken at step 602, this ECG can be compared to the ECG of theowner of the electronic device (e.g., compared to the heart signature ofthe owner). If the current user does not match an authorized user, hecan be detected as an unauthorized user at step 606. If, however, thecurrent user does match an authorized user, process 600 can end at step608.

To detect an unauthorized user, process 610 of FIG. 6 b can determinewhether particular activities are identified at step 612. As describedabove, the particular activities can include any activities indicatingsuspicious behavior such as, for example, entering an incorrect passworda predetermined number of times in a row, entering an incorrect passworda predetermined number of times within a period of time, hacking theelectronic device, jailbreaking the electronic device, unlocking of theelectronic device, removing a SIM card from the electronic device,moving the electronic device a predetermined distance from a synceddevice, or any combination of the above. If a particular activity isidentified, the current user can be detected as an unauthorized user atstep 614. If, however, a particular activity is not identified, process610 can end at step 616.

The processes discussed above are intended to be illustrative and notlimiting. Persons skilled in the art could appreciate that steps of theprocesses discussed herein can be omitted, modified, combined,rearranged, or combinations of these, and any additional steps can beperformed without departing from the scope of the invention.

The above described embodiments of the present invention are presentedfor purposes of illustration and not of limitation, and the presentinvention is limited only by the claims which follow.

What is claimed is:
 1. A method for identifying an unauthorized user ofan electronic device, the method comprising: monitoring with theelectronic device usage of at least one memory of the electronic device;detecting with the electronic device a sudden increase in the monitoredmemory usage; and determining with the electronic device that a currentuser of the electronic device is the unauthorized user in response tothe detecting.